Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:network:wan:multiwan:mwan3 [2023/05/03 18:26] – [Command line (SSH)] jamesmacwhitedocs:guide-user:network:wan:multiwan:mwan3 [2024/05/17 08:30] – [nft2ipset init script] jamesmacwhite
Line 1: Line 1:
 ====== mwan3 (Multi WAN load balancing/failover) ====== ====== mwan3 (Multi WAN load balancing/failover) ======
  
-  * 22.03: Latest release: [[:packages:pkgdata:mwan3|2.11.4]]+  * 23.05: Latest release: [[:packages:pkgdata:mwan3|2.11.8]] 
 +  * 22.03: Latest release: 2.11.7
   * 21.02: Latest release: 2.10.13-1   * 21.02: Latest release: 2.10.13-1
-  * 19.07 or older: No longer supported or maintained. 
  
 ==== About mwan3 ==== ==== About mwan3 ====
Line 59: Line 59:
  
 ==== OpenWrt version ==== ==== OpenWrt version ====
 +
 +=== 23.05 ===
 +
 +The mwan3 package is mostly unchanged between 22.03 and 23.05, with some additional fixes but otherwise mostly the same.
 +
 +**Known issues:**
 +
 +   * [[https://github.com/openwrt/packages/issues/22474|mwan3: ipset functionality broken on 23.05]]. [[docs:guide-user:network:wan:multiwan:mwan3#nft2ipset_init_script|Workaround init script available]].
  
 === 22.03 === === 22.03 ===
  
-The latest version of mwan3 is currently available in the 22.03 packages repository. While 22.03 switched to nftables for firewall management, mwan3 has not been updated to natively support nftables yet and therefore needs the ''iptables-nft'' and ''ip6tables-nft'' packages installed for a iptables compatibility layer for firewall rules to work. [[docs:guide-user:network:wan:multiwan:mwan3#installation|See installation steps]] for more information.+22.03 switched to firewall4/nftables for firewall management, mwan3 has not been updated to natively support nftables yet and therefore needs the ''iptables-nft'' and ''ip6tables-nft'' packages installed for a iptables compatibility layer for firewall rules to work. [[docs:guide-user:network:wan:multiwan:mwan3#installation|See installation steps]] for more information.
  
 **Known issues:** **Known issues:**
  
-There are a couple of regressions between 2.10 and 2.11 identified with sticky rules and ipset. An issue with fwmark and tunnel connections can cause traffic to be incorrectly routed e.g. L2TP, 6in4 and IPv6 traffic within the tunnel+There are a few regressions between 2.10 and 2.11 identified with sticky rules and ipset. 
 +An issue with fwmark and tunnel connections can cause traffic to be incorrectly routed e.g. L2TP, 6in4 and IPv6 traffic within the tunnel is also present under certain configurations.
  
-  * [[https://github.com/openwrt/packages/issues/19472|mwan3: Legacy rules detected]] +  * [[https://github.com/openwrt/packages/issues/19472|mwan3: Legacy rules detected]] (See installation steps) 
-  * [[https://github.com/openwrt/packages/pull/20900|mwan3: fix addition of routes to mwan3_connected ipset]] +  * <del>[[https://github.com/openwrt/packages/pull/20900|mwan3: fix addition of routes to mwan3_connected ipset]]</del> 
-  * [[https://github.com/openwrt/packages/pull/20901|mwan3: fix addition of iptables rules for mwan3 sticky rules]]+  * <del>[[https://github.com/openwrt/packages/pull/20901|mwan3: fix addition of iptables rules for mwan3 sticky rules]]</del>
   * [[https://github.com/openwrt/packages/pull/20923|mwan3: fix some tunnels assigned the wrong mark]]   * [[https://github.com/openwrt/packages/pull/20923|mwan3: fix some tunnels assigned the wrong mark]]
  
 === 21.02 === === 21.02 ===
 +
 +**No longer supported.**
  
 The version of mwan3 in 21.02 is 2.10.13-1, it has a lot of improvements over the version in 19.07 for both performance and stability.  The version of mwan3 in 21.02 is 2.10.13-1, it has a lot of improvements over the version in 19.07 for both performance and stability. 
Line 127: Line 138:
  
 <WRAP center info 100%> <WRAP center info 100%>
-For routers using 22.03 or snapshot which uses firewall4/nftables, the packages ''iptables-nft'' and ''ip6tables-nft'' are needed for mwan3 functionality to work. mwan3 does not currently natively support nftables, but does function with the iptables-nft/ip6tables-nft backend which will translate rules to be compatiable with nftables.+For routers using 22.03 or above the default firewall uses firewall4/nftables, the packages ''iptables-nft'' and ''ip6tables-nft'' are needed for mwan3 functionality to work. mwan3 does not currently natively support nftables, but does function with the iptables compatibility backend which will translate rules to be compatible with nftables.
 </WRAP> </WRAP>
  
Line 173: Line 184:
 **Using IPv6 with mwan3:** **Using IPv6 with mwan3:**
  
-  - If your IPv6 is using a tunnel type connection such as 6in4 or Wireguard, you are strongly advised to use OpenWrt 19.07.5 and above which has important kernel patches that fix issues with ping which affects the mwan3track component.+  - Newer versions of mwan3 have better IPv6 supportensure you are running a supported OpenWrt version, as various IPv6 related areas have been addressed in recent versions.
   - You will need to split your WAN network interfaces, so one interface has your IPv4 WAN and another for the IPv6 WAN. A common example convention is wan and wan6 (default with OpenWrt), along with an additional WAN interfaces such as wanb and wanb6 etc. Your IPv6 interface can be an alias interface in most cases. You then define each interface in mwan3 with the address family of either ''ipv4'' or ''ipv6'' and create a member profile for each to be used in policies assigned to your rules so IPv4 and IPv6 traffic is handled. mwan3 cannot currently handle IPv4 and IPv6 configuration on a single interface.   - You will need to split your WAN network interfaces, so one interface has your IPv4 WAN and another for the IPv6 WAN. A common example convention is wan and wan6 (default with OpenWrt), along with an additional WAN interfaces such as wanb and wanb6 etc. Your IPv6 interface can be an alias interface in most cases. You then define each interface in mwan3 with the address family of either ''ipv4'' or ''ipv6'' and create a member profile for each to be used in policies assigned to your rules so IPv4 and IPv6 traffic is handled. mwan3 cannot currently handle IPv4 and IPv6 configuration on a single interface.
-  - You will need to implement some form of IPv6 masquerading such as NETMAP or NPTv6 or [[docs:guide-user:network:ipv6:ipv6.nat6|NAT66]] for mwan3 to work properly across multiple WAN interfaces.+  - You will likely need to implement some form of IPv6 masquerading such as NETMAP or NPTv6 or [[docs:guide-user:network:ipv6:ipv6.nat6|NAT66]] for mwan3 and IPv6 traffic to work properly across multiple WAN interfaces.
  
 NETMAP, NPTv6 and NAT66 all are configuration options that can work with mwan3, but it is up to you to implement the IPv6 configuration required. mwan3 does not currently implement any IPv6 masquerading by itself. NETMAP, NPTv6 and NAT66 all are configuration options that can work with mwan3, but it is up to you to implement the IPv6 configuration required. mwan3 does not currently implement any IPv6 masquerading by itself.
Line 211: Line 222:
 === Routers using Distributed Switch Architecture (DSA) === === Routers using Distributed Switch Architecture (DSA) ===
  
-From 21.02 onwards some targets will use [[docs:techref:hardware:switch|DSA]] which is different and not compatible with the instructions for swconfig. You can find a [[:docs:guide-user:network:dsa:converting-to-dsa|converting to DSA guide]] for additional guidance for switch/VLAN management for router targets using DSA.+From 21.02 onwards most targets will use [[docs:techref:hardware:switch|DSA]] which is different and not compatible with the instructions for swconfig. You can find a [[:docs:guide-user:network:dsa:converting-to-dsa|converting to DSA guide]] for additional guidance for switch/VLAN management for router targets using DSA.
  
   - Go to **Network > Interfaces** and select the Devices tab. Click configure on the br-lan device.   - Go to **Network > Interfaces** and select the Devices tab. Click configure on the br-lan device.
Line 610: Line 621:
  
 === ipset support === === ipset support ===
 +
 +<WRAP center important 100%>
 +ipset functionality is broken in 23.05 due to the ''dnsmasq-full'' package no longer being compiled with ipset support in favour of nftables. As mwan3 does not currently support nftables natively, this functionality no longer works. [[https://forum.openwrt.org/t/23-05-dnsmasq-ipsets-and-mwan3-incompatibility/174926|More information and further discussion]]. A [[docs:guide-user:network:wan:multiwan:mwan3#nft2ipset init script|workaround init script that converts nfset to ipset is available]] to use until mwan3 is updated to natively support nfset.
 +</WRAP>
  
 ipset is designed to store multiple IP addresses in a single collection, while being performant and easier to maintain. Common usages of ipset include storing large amounts of IP addresses or ranges in a single set as well as conditional routing by domain. As routing ultimately works at the IP layer, being able to use ipset with domain based policies is useful for many websites or services which use multiple IP addresses or large Content Delivery Networks which means the IP address of that domain is constantly changing, individually adding these IP addresses would become unmanageable very quickly, ipset can help maintain this for you. ipset is designed to store multiple IP addresses in a single collection, while being performant and easier to maintain. Common usages of ipset include storing large amounts of IP addresses or ranges in a single set as well as conditional routing by domain. As routing ultimately works at the IP layer, being able to use ipset with domain based policies is useful for many websites or services which use multiple IP addresses or large Content Delivery Networks which means the IP address of that domain is constantly changing, individually adding these IP addresses would become unmanageable very quickly, ipset can help maintain this for you.
Line 1337: Line 1352:
  option family 'ipv4'  option family 'ipv4'
  option use_policy 'wanb_only'  option use_policy 'wanb_only'
 +</code>
 +
 +==== nft2ipset init script ====
 +
 +Due to the default firewall (fw4) now being based on nftables (rather than iptables), the ipset functionality commonly used in conjunction with dnsmasq and mwan3 no longer works in 23.05 releases. This is due to mwan3 not being fully compatible with nftables and requiring iptables compatibility/translation packages (see installation steps). While ipset functionality works in 23.02 without any changes, since the 23.05 release an important dnsmasq compile flag was changed to remove all ipset support in favour of nfset. To restore near like for like functionality a custom init script can be used, [[https://forum.openwrt.org/t/23-05-dnsmasq-ipsets-and-mwan3-incompatibility/174926/40|credit @Kishi on the OpenWrt community forum]]. This script monitors changes to nftables/nfset and creates or updates ipset equivalents, essentially replicating the behaviour of what dnsmasq would do with ipset support enabled.
 +
 +You will need to use nfset with dnsmasq for ipset polices to be created, which mwan3 only supports at this time. mwan3 currently does not support nfset in rules directly, hence the need to create ipset policies.
 +
 +For help with this init script, please message @Kishi on the forum thread and also thank them if you found this useful!
 +
 +The script is [[https://gist.github.com/Kishi85/b7f379f9aa19f4878af28b8e1a8887ab|published as gist on GitHub]] so the full code can be inspected and reviewed before installing.
 +
 +Installation instructions:
 +
 +<code>
 +wget -O /etc/init.d/nft2ipset https://gist.github.com/Kishi85/b7f379f9aa19f4878af28b8e1a8887ab/raw/
 +chmod +x /etc/init.d/nft2ipset
 +service nft2ipset enable
 +service nft2ipset start
 </code> </code>
  
  • Last modified: 2024/11/15 19:05
  • by jeperez